Bug 2106286

Summary:	virt-sysprep: make an effort to support LUKS on LV
Product:	Red Hat Enterprise Linux 9	Reporter:	YongkuiGuo <yoguo>
Component:	guestfs-tools	Assignee:	Laszlo Ersek <lersek>
Status:	CLOSED ERRATA	QA Contact:	YongkuiGuo <yoguo>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	9.1	CC:	lersek, qzhang, rjones, virt-maint, ymao
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	guestfs-tools-1.48.2-5.el9	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-11-15 09:52:44 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description YongkuiGuo 2022-07-12 09:54:17 UTC

Description of problem:
virt-sysprep fails to run on encrypted disk image with LUKS on LV, but according to the LUKS FAQ, virt-sysprep should not be used on encrypted disk images.

https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md

CLONING/IMAGING: If you clone or image a LUKS container, you make a copy of the LUKS header and the volume key will stay the same! That means that if you distribute an image to several machines, the same volume key will be used on all of them, regardless of whether you change the passphrases. Do NOT do this! If you do, a root-user on any of the machines with a mapped (decrypted) container or a passphrase on that machine can decrypt all other copies, breaking security.

6.15 Can I clone a LUKS container?
You can, but it breaks security, because the cloned container has the same header and hence the same volume key. Even if you change the passphrase(s), the volume key stays the same. That means whoever has access to one of the clones can decrypt them all, completely bypassing the passphrases.

While you can use cryptsetup-reencrypt to change the volume key, this is probably more effort than to create separate LUKS containers in the first place.

The right way to do this is to first luksFormat the target container, then to clone the contents of the source container, with both containers mapped, i.e. decrypted. You can clone the decrypted contents of a LUKS container in binary mode, although you may run into secondary issues with GUIDs in filesystems, partition tables, RAID-components and the like. These are just the normal problems binary cloning causes.

Note that if you need to ship (e.g.) cloned LUKS containers with a default passphrase, that is fine as long as each container was individually created (and hence has its own volume key). In this case, changing the default passphrase will make it secure again.


Version-Release number of selected component (if applicable):
libguestfs-1.48.3-5.el9.x86_64
guestfs-tools-1.48.2-4.el9.x86_64


How reproducible:
100%


Steps:

1. Create an encrypted VM (rhel9-luks-on-lv) with LUKS on LV
# lsblk
NAME                                            MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sr0                                              11:0    1 1024M  0 rom  
vda                                             252:0    0   10G  0 disk  
├─vda1                                          252:1    0    1G  0 part  /boot
└─vda2                                          252:2    0    9G  0 part  
  ├─rhel-root                                   253:0    0    8G  0 lvm  
  │ └─luks-e5b1101d-815d-4f07-a19e-8f739bcc3657 253:2    0    8G  0 crypt /
  └─rhel-swap                                   253:1    0    1G  0 lvm  
    └─luks-91fdf893-fff9-40b1-be55-ddb872501e72 253:3    0 1008M  0 crypt [SWAP]

2.
# virt-sysprep  -a /var/lib/libvirt/images/rhel9-luks-on-lv.qcow2
[   0.0] Examining the guest ...
Enter key or passphrase ("/dev/rhel/root"):  --- input passphrase
Enter key or passphrase ("/dev/rhel/swap"):  --- input passphrase
[  19.3] Performing "abrt-data" ...
[  19.3] Performing "backup-files" ...
[  19.8] Performing "bash-history" ...
[  19.8] Performing "blkid-tab" ...
[  19.8] Performing "crash-data" ...
[  19.8] Performing "cron-spool" ...
[  19.8] Performing "dhcp-client-state" ...
[  19.8] Performing "dhcp-server-state" ...
[  19.8] Performing "dovecot-data" ...
[  19.8] Performing "ipa-client" ...
[  19.8] Performing "kerberos-hostkeytab" ...
[  19.9] Performing "logfiles" ...
[  19.9] Performing "lvm-system-devices" ...
[  19.9] Performing "machine-id" ...
[  19.9] Performing "mail-spool" ...
[  19.9] Performing "net-hostname" ...
[  19.9] Performing "net-hwaddr" ...
[  19.9] Performing "net-nmconn" ...
[  20.0] Performing "pacct-log" ...
[  20.0] Performing "package-manager-cache" ...
[  20.0] Performing "pam-data" ...
[  20.0] Performing "passwd-backups" ...
[  20.0] Performing "puppet-data-log" ...
[  20.0] Performing "rh-subscription-manager" ...
[  20.1] Performing "rhn-systemid" ...
[  20.1] Performing "rpm-db" ...
[  20.1] Performing "samba-db-log" ...
[  20.1] Performing "script" ...
[  20.1] Performing "smolt-uuid" ...
[  20.1] Performing "ssh-hostkeys" ...
[  20.1] Performing "ssh-userdir" ...
[  20.1] Performing "sssd-db-log" ...
[  20.1] Performing "tmp-files" ...
[  20.2] Performing "udev-persistent-net" ...
[  20.2] Performing "utmp" ...
[  20.2] Performing "yum-uuid" ...
[  20.2] Performing "customize" ...
[  20.2] Setting a random seed
[  20.2] Setting the machine ID in /etc/machine-id
[  20.2] SELinux relabelling
[  35.4] Performing "lvm-uuids" ...
virt-sysprep: error: libguestfs error: vg_activate_all: vgchange:   Logical
volume rhel/root is used by another device.
  Can't deactivate volume group "rhel" with 2 open logical volume(s)

If reporting bugs, run virt-sysprep with debugging enabled and include the
complete output:

  virt-sysprep -v -x [...]


Actual results:
As above

Expected results:
Update virt-sysprep document 

Additional info:

Comment 1 Laszlo Ersek 2022-07-12 10:18:29 UTC

Thanks for the report, will update the documentation, and perhaps also add some "best effort" logic for virt-sysprep not to choke on LUKS-on-LV.

(Background: https://bugzilla.redhat.com/show_bug.cgi?id=1809453#c34 and onwards.)

Comment 2 YongkuiGuo 2022-07-12 10:32:35 UTC

(In reply to Laszlo Ersek from comment #1)
> Thanks for the report, will update the documentation, and perhaps also add
> some "best effort" logic for virt-sysprep not to choke on LUKS-on-LV.
> 
> (Background: https://bugzilla.redhat.com/show_bug.cgi?id=1809453#c34 and
> onwards.)

Got it. Adding "best effort" logic will be wonderful. Thanks.

Comment 3 Laszlo Ersek 2022-07-12 11:43:20 UTC

Argh, this is nasty. Beyond "lvm-uuids", we have another sysprep operation that works on block devices, and not on filesystems: it's called "fs-uuids". It does basically the same (UUID regeneration), just for filesystems, not logical volumes.

Here's why it is a problem: if we close the decrypted devices between unmounting all filesystems and running the device-level operations, then filesystems on LUKS-on-LV devices will no longer be accessible at the block device level, and "fs-uuids" will not see them.

Basically the way filesystems, LUKS block devices, and logical volumes are stacked, virt-sysprep's current lumping-together of all device-level operations is not flexible enough. There is a particular order in which (1) fs unmounting, (2) fs-uuid regen, (3) LUKS closing, and (4) lvm-uuid regen need to occur. The problem is that (1) and (3) are (supposed to be) in "sysprep/main.ml", whereas (2) and (4) are supposed to be "pluggable" and at most reorderable between each other -- but not possible to order relative to (1) and (3). So with this we're hitting an infrastructure / design limit of virt-sysprep.

With LV-on-LUKS this was no problem; we'd never try to close LUKS -- step (3) from above falls away --, so (1) fs unmounting in "main" would occur, then separately the device-level operations (2) fs-uuid and (4) lvm-uuid, would execute successfully in any (unspecified) order between each other.

Rich, any ideas? Thanks.

Comment 4 Laszlo Ersek 2022-07-12 11:44:54 UTC

As a workaround we could try ordering lvm-uuid strictly after fs-uuid (I think we have infrastructure for that), *plus* hack lvm-uuid such that, if the initial LVM deactivation attempt fails, we internally try to close all LUKS devices (again, internally to the lvm-uuid operation). This looks super ugly though.

Comment 5 Laszlo Ersek 2022-07-14 10:40:39 UTC

[guestfs-tools PATCH 0/2] sysprep: full disk encryption improvements
Message-Id: <20220714104005.8334-1-lersek>
https://listman.redhat.com/archives/libguestfs/2022-July/029450.html

Comment 6 Laszlo Ersek 2022-07-15 06:30:47 UTC

(In reply to Laszlo Ersek from comment #5)
> [guestfs-tools PATCH 0/2] sysprep: full disk encryption improvements
> Message-Id: <20220714104005.8334-1-lersek>
> https://listman.redhat.com/archives/libguestfs/2022-July/029450.html

Upstream commit range a7ffb717306f..b49ee909f5d1.

Comment 7 YongkuiGuo 2022-07-18 05:08:19 UTC

Tested with package:
guestfs-tools-1.48.2-5.el9.x86_64

Steps:

1.
# virt-sysprep -a /var/lib/libvirt/images/rhel9-luks-on-lv.qcow2 
[   0.0] Examining the guest ...
Enter key or passphrase ("/dev/rhel/root"): 
Enter key or passphrase ("/dev/rhel/swap"): 
[  38.4] Performing "abrt-data" ...
[  38.4] Performing "backup-files" ...
[  38.9] Performing "bash-history" ...
[  38.9] Performing "blkid-tab" ...
[  38.9] Performing "crash-data" ...
[  38.9] Performing "cron-spool" ...
[  38.9] Performing "dhcp-client-state" ...
[  38.9] Performing "dhcp-server-state" ...
[  38.9] Performing "dovecot-data" ...
[  39.0] Performing "ipa-client" ...
[  39.0] Performing "kerberos-hostkeytab" ...
[  39.0] Performing "logfiles" ...
[  39.0] Performing "lvm-system-devices" ...
[  39.0] Performing "machine-id" ...
[  39.0] Performing "mail-spool" ...
[  39.0] Performing "net-hostname" ...
[  39.0] Performing "net-hwaddr" ...
[  39.1] Performing "net-nmconn" ...
[  39.1] Performing "pacct-log" ...
[  39.1] Performing "package-manager-cache" ...
[  39.1] Performing "pam-data" ...
[  39.1] Performing "passwd-backups" ...
[  39.2] Performing "puppet-data-log" ...
[  39.2] Performing "rh-subscription-manager" ...
[  39.2] Performing "rhn-systemid" ...
[  39.2] Performing "rpm-db" ...
[  39.2] Performing "samba-db-log" ...
[  39.2] Performing "script" ...
[  39.2] Performing "smolt-uuid" ...
[  39.2] Performing "ssh-hostkeys" ...
[  39.2] Performing "ssh-userdir" ...
[  39.3] Performing "sssd-db-log" ...
[  39.3] Performing "tmp-files" ...
[  39.3] Performing "udev-persistent-net" ...
[  39.3] Performing "utmp" ...
[  39.3] Performing "yum-uuid" ...
[  39.3] Performing "customize" ...
[  39.3] Setting a random seed
[  39.3] Setting the machine ID in /etc/machine-id
[  39.3] SELinux relabelling
[  54.6] Performing "lvm-uuids" ...

No error is printed.

2.
# man virt-sysprep
...
Virtual machines that employ full disk encryption internally to the guest should not be considered for cloning and distribution, as it provides multiple parties with the same internal volume key, enabling any one such party to decrypt all the other clones.  Refer to the LUKS FAQ for details.
...

The above lines are added to the man page.

Comment 8 YongkuiGuo 2022-07-22 02:30:08 UTC

Hi,lersek

The Verified:Tested flag has been set, but I don't know why this bug is not added into the erratum automatically. Could you help with that manually? Thanks.

Comment 17 errata-xmlrpc 2022-11-15 09:52:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: guestfs-tools security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7959